Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

A New Look for HHS-OIG. Learn More >>

U.S. Flag An official website of the United States government.
Change Font Size

Medicare: Vulnerabilities Related to Provider Enrollment and Ownership Disclosure


CMS can prevent inappropriate payments, protect beneficiaries, and reduce time-consuming and expensive "pay and chase" activities by ensuring that providers that intend to engage in fraudulent or abusive activities are not allowed to enroll in Medicare. For CMS to identify potentially fraudulent providers, as well as those that may be associated with excluded individuals or entities, providers must disclose accurate and timely information about their owners (i.e., individuals or corporations with a 5 percent or more ownership or controlling interest; agents; or managing employees).


For selected providers, we compared three sets of owner names: (1) those on record with CMS for Medicare enrollment purposes, (2) those submitted by providers directly to OIG for this evaluation, and (3) those on record with State Medicaid programs for Medicaid enrollment purposes. When we compared names, if we found owner names that were not identical but were reasonably similar, we considered the names to match. Additionally, we surveyed CMS's Medicare Administrative Contractors regarding their checking of exclusions databases when they process Medicare enrollment applications.


Over three-quarters of Medicare providers in our review had owner names on record with CMS that did not match those that providers submitted to OIG. Further, nearly all providers in our review had owner names on record with CMS that did not match those on record with State Medicaid programs. The prevalence of nonmatching owner names raises concern about the completeness and accuracy of information about Medicare providers' ownership. It also demonstrates that providers may not be complying with the requirement to report ownership changes to CMS. Additionally, 2 of the 11 CMS contractors did not check all required exclusions databases, which could allow providers with excluded owners to enroll in the Medicare program. The two contractors reported that they checked only one of two exclusions databases, and this database does not always have the most current information on excluded individuals and entities. Taken together, these findings reveal vulnerabilities that could allow potentially fraudulent providers to enroll in the Medicare program and limit CMS's ability to provide adequate oversight.


We recommend that CMS (1) review providers that submitted nonmatching owner names and take appropriate action, (2) educate providers on the requirement to report changes of ownership, (3) increase coordination with State Medicaid programs on the collection and verification of provider ownership information in Medicare and Medicaid, and (4) ensure that its contractors check exclusions databases as required. CMS concurred with all of our recommendations.

Copies can also be obtained by contacting the Office of Public Affairs at

Download the complete report.

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201